Forensic Analysis of a Database Attack Josh Shaul Office of the CTO joshappsecinc.com - PowerPoint PPT Presentation

1 / 72
About This Presentation
Title:

Forensic Analysis of a Database Attack Josh Shaul Office of the CTO joshappsecinc.com

Description:

4-Apr-08. Advanced Auto Parts. 56,000. 31-Mar-08. Antioch University. 70,000. 28-Mar-08 ... Advanced identity theft via database rootkits ... – PowerPoint PPT presentation

Number of Views:623
Avg rating:3.0/5.0
Slides: 73
Provided by: ericgo
Category:

less

Transcript and Presenter's Notes

Title: Forensic Analysis of a Database Attack Josh Shaul Office of the CTO joshappsecinc.com


1
Forensic Analysis of a Database AttackJosh
ShaulOffice of the CTOjosh_at_appsecinc.com
2
This Sessions Agenda
  • Introduction
  • Landscape
  • Database Vulnerabilities Are The New Front-Lines
  • Attacking Where the Data Resides
  • Planning an Attack
  • Attacking Database Vulnerabilities
  • Available Best Practices and Resources
  • Database Forensics
  • Securing Your Databases
  • Resources for Further Advice and Research

2
3
Old Data Processing Environment
3
4
New Data Processing Requirement
  • Increasingly Focused Attacks
  • Directly on applications (75!)
  • Including insiders (80!)
  • As perimeter crumbles
  • Demand for Pervasive Access
  • By anyone
  • To any application
  • Increasingly direct
  • Compliance Requirements
  • Info ultimately in Db apps
  • Privacy / confidentiality
  • Integrity
  • Compliance must be
  • Repeatable
  • Demonstrable

4
5
Databases Are Under Attack
  • February 2005 to April 2008
  • Total Affected Customers 226,784,583
  • Literally hundreds of incidents
  • Victims include financial institutions,
    government agencies, retailers, healthcare
    providers, universities, manufacturing,
    consulting and audit firms, .
  • Incidents reported almost every day
  • Last week alone, 8 incident affected nearly 1M
    records

http//www.privacyrights.org/ar/ChronDataBreaches.
htm
5
6
Recent Incidents
6
7
Database Vulnerabilities
8
Established Vulnerability Categories
  • Most commonly known to apply to OSs and NOSs

8
9
Categories Also Apply to Databases!
  • Databases are a separate attack vector!

9
10
Database VulnerabilitiesDefault Weak Passwords
  • Databases have their own user accounts and
    passwords

10
11
Database VulnerabilitiesDefault and Weak
Passwords
  • Oracle Defaults (hundreds of them)
  • User Account internal / Password oracle
  • User Account system / Password manager
  • User Account sys / Password change_on_install
  • User Account dbsnmp / Password dbsnmp
  • MySQL Defaults
  • User Account root / Password null
  • User Account admin / Password admin
  • User Account myusername / Password mypassword
  • Sybase Defaults
  • User Account SA / Password null
  • Microsoft SQL Server Defaults
  • User Account SA / Password null

11
12
Database VulnerabilitiesDefault and Weak
Passwords
  • It is important that you have all of the proper
    safeguards against password crackers because
  • Not all databases have Account Lockout
  • Database Login activity is seldom monitored
  • Scripts and Tools for exploiting weak
    identification control mechanisms and default
    passwords are widely available

12
13
Database VulnerabilitiesDenial of Services
(DoS) Buffer Overflows
  • Databases have their own DoSs Buffer Overflows

13
14
Denial of ServicesDatabases Have Their Own DoS
Attacks
  • Result in the database crashing or failing to
    respond to connect requests or SQL Queries.
  • Significant Database Denial of Services
  • Oracle8i NSPTCN data offset DoS
  • Oracle9i SNMP DoS
  • Microsoft SQL Server Resolution Service DoS
  • IBM DB2 Date/Varchar DoS

14
15
Buffer OverflowsDatabases Have Their Own Buffer
Overflows
  • Result in an unauthorized user causing the
    application to perform an action the application
    was not intended to perform.
  • Can allow arbitrary commands to be executed
  • No matter how strongly youve set passwords and
    other authentication features.
  • Significant Database Buffer Overflows
  • Oracle9i TZ_OFFSET buffer overflow
  • Microsoft pwdencrypt buffer overflow /
    Resolution Stack Overflow
  • Sybase xp_freedll buffer overflow

15
16
Misconfigurations Resource Privilege
Management Issues
  • Misconfigurations can make a database vulnerable

16
17
Misconfigurations Resource PrivilegesMisconfigu
rations Can Make a Database Vulnerable
  • Oracle
  • External Procedure Service
  • Default HTTP Applications
  • Privilege to Execute UTL_FILE
  • Microsoft SQL Server
  • Standard SQL Server Authentication Allowed
  • Permissions granted on xp_cmdshell
  • Sybase
  • Permission granted on xp_cmdshell
  • IBM DB2
  • CREATE_NOT_FENCED privilege granted (allows
    logins to create SPs)
  • MySQL
  • Permissions on User Table (mysql.user)

17
18
Database Vulnerabilities Wrap-up
18
19
Emerging Database Threats for 2008
  • Sophisticated attacks that exploit un-patched
    vulnerabilities
  • Cyber espionage efforts by well resourced
    organizations looking to extract large amounts of
    data
  • Insider attacks
  • Insider mistakes
  • Advanced identity theft via database rootkits
  • Increasingly sophisticated social engineering
    leading to full-blown database disclosures
  • Weak or non-existent audit controls
  • Powerful self-propagating attacks distributed via
    infection kits on legitimate websites

19
20
Database Attack Illustrations
21
Planning an Attack
  • Create a Map
  • What does the network look like?
  • Reconnoiter
  • Collect information about the layout of the
    target
  • What looks intereting?
  • Probe, Progress, Plot
  • What can we do?
  • Build the springboard for further activity
  • Plan the strike
  • Retreat and Re-attack

21
22
Directly Attacking a DatabaseMicrosoft SQL
Server (Resolution Stack Overflow)
  • Attack Target Microsoft SQL Server
  • Privilege Level Network Connection to Target
  • Outcome Administrative Control of Host Operating
    System
  • Vulnerabilities Exploited
  • Buffer Overflows

22
23
Discover the Database
23
24
Discover the Database
24
25
Attack Scenario Recap (Map Recon)
25
26
Attack Scenario Recap
  • Now What?
  • Start Probing and Exploring the Possibilities
  • Exploit Code is Available Over the Web
  • Microsoft SQL Server Resolution Stack Overflow
  • Payload Create a remote control shell
  • Will only work if they did not patch with Service
    Pack 3 but well see

26
27
Start Netcat
Port to Listen On
Listen
27
28
Execute Compiled Exploit Code
28
29
Execute Compiled Exploit Code
  • Target Machine IP

29
30
Execute Compiled Exploit Code
Intruder Machine IP
30
31
Execute Compiled Exploit Code
Port Number
31
32
Execute Compiled Exploit Code
Service Pack Indicator
32
33
Execute Compiled Exploit Code
33
34
Attack Scenario Recap
34
35
Directly Attacking a Database RecapMicrosoft SQL
Server (Resolution Stack Overflow)
  • Outcome Complete Administrative Control of Host
    Operating System
  • Vulnerabilities Exploited
  • Buffer Overflows
  • How did we do it? Freely Available Exploit Code!
  • Microsoft SQL Server Remote Stack Overflow

35
36
Directly Attacking A DatabaseOracle (DB18
Exploit)
  • Attack Target All Oracle Databases
  • Privilege Level Anyone with a Login
  • Examples SCOTT / TIGER or Guest Account
  • Outcome Complete Administrative Control!
  • Vulnerabilities Exploited
  • Bug in the Oracle Login Protocol

36
37
Directly Attacking A DatabaseOracle (DB18
Exploit)
  • Check Out the Following Website
  • http//www.adp-gmbh.ch/blog/2006/01/24.php
  • Whats on this website? Perl scripts that can be
    used to do all of the following
  • Proxy a connection
  • Create an account
  • Escalate the privileges of that account to DBA

37
38
Directly Attacking A DatabaseOracle (DB18
Exploit)
  • Proxy a Connection
  • Setup the Proxy
  • http//www.adp-gmbh.ch/perl/proxy.htmlpackage

38
39
Directly Attacking A DatabaseOracle (DB18
Exploit)
  • Proxy a Connection
  • Edit the local tnsnames.ora file on the client
  • http//www.adp-gmbh.ch/blog/2006/01/24.php
  • Update to point communications to the port where
    the proxy is going to live on (1234)

Before
After
39
40
Directly Attacking A DatabaseOracle (DB18
Exploit)
  • Proxy_do_sql.pl
  • globi is the database server being attacked
  • Creates a listening socket on port 1234 within
    the localhost
  • Accepts the packet and searches in it for the
    string its looking to replace
  • ALTER SESSION SET NLS_LANGUAGE
  • Replacing the ALTER USER with the malicious SQL

40
41
Attacking A Database (DB18 Exploit)
41
42
Directly Attacking A DatabaseOracle (DB18
Exploit)
  • So Far
  • Verified who are the DBAs (Database
    Administrators) within the database
  • What Now?
  • Start the proxy that we built using the Perl
    Script on our client machine
  • Create a new account evil_user

42
43
Attacking A Database (DB18 Exploit)
43
44
Directly Attacking A DatabaseOracle (DB18
Exploit)
  • So Far
  • Proxy is waiting for any login to execute
    creating the evil_user account
  • What Now?
  • Login with account scott and password tiger

44
45
Attacking A Database (DB18 Exploit)
45
46
Attacking A Database (DB18 Exploit)
46
47
Directly Attacking A DatabaseOracle (DB18
Exploit)
  • So Far
  • We created the evil_user account
  • Whats next?
  • Setup the proxy again so that it will establish
    evil_user as a DBA (Database Administrator)

47
48
Attacking A Database (DB18 Exploit)
48
49
Attacking A Database (DB18 Exploit)
49
50
Attacking A Database (DB18 Exploit)
50
51
Attacking A Database (DB18 Exploit)
51
52
Directly Attacking A Database RecapOracle (DB18
Exploit)
  • Outcome Complete Administrative Control!
  • Vulnerabilities Exploited
  • Bug in the Oracle Login Protocol
  • How did we do it? Freely Available Exploit Code!
  • Just lookup Oracle DB18 Exploit

52
53
Attacking Databases Over the InternetExploiting
Search Engines (Google)
  • Attack Target Oracle
  • Privilege Level Anyone with Access to the Web
    and a Search Engine
  • Outcome Complete Administrative Control
  • Vulnerabilities Exploited
  • Misconfigurations Resource Privilege Management

53
54
How is Google used for attacks?
  • First thing an attacker needs is information
  • Where to attack
  • What a site is vulnerable to
  • Google is a large repository of information
  • Every web page in your application
  • Every domain on the Internet
  • Google provides an attacker
  • Ability to search for attack points on the
    Internet
  • Ability to search for an attack point in a
    specific website
  • Ability to look for specific URLs or files

54
55
Example looking for iSQLPlus
  • Oracle HTTP Servers
  • Execute queries on database using an HTTP form
  • Accessed using the URL /isqlplus
  • By default runs on any Oracle HTTP server
    installed with
  • Oracle Applications Server
  • Oracle Database Server
  • Search can be performed on Google
  • looking for Oracle HTTP servers
  • Using the allinurl advanced search feature

55
56
Using Google Advanced Search
56
57
Results of Google Advanced Search
57
58
Yahoo! Advanced Search Works Too..
58
59
Default username/password
59
60
Attacker is in the database
60
61
Attacker can execute any query
61
62
Attacking Databases Over the Internet
RecapExploiting Search Engines (Google)
  • Outcome First step towards administrative
    control!
  • Vulnerabilities Exploited
  • Misconfigurations Resource Privilege Management
  • How did we do it?
  • Googled for isql and took advantage of poor
    security practices!

62
63
Available Best Practices and Resources
64
What To Look For If You Suspect An Attack
  • Attacks typically require multiple tries
  • Look for evidence of trial or error
  • Normalize all you data
  • Find what is typical and then eliminate that
  • Look through what is not typical
  • Typically find clusters of errors reflecting an
    attack
  • Narrow down time period attack most likely
    occurred
  • Focus in on event around that time/date
  • Look at events from multiple source to piece
    together what might have happened
  • Determine most likely source of the attack
  • Hacker using a password attack or buffer overflow
  • Customer using privilege escalation
  • Employee using special access
  • Do not rule out any attack vector out

65
Forensics Basics
  • If you discover an attack, take a baseline of
    your system
  • Preserve the evidence
  • Secure the audit trail
  • Clearly, this is easier with auditing
    enabledwith no auditing, your recourse in the
    event of an attack is somewhat constrained
  • Examine systems for active and sleeping files
  • Attacks come in all flavorsthey can come in,
    test a few things or they can steal whole
    databases. Orthey can just put an exe file in
    the database and wait. Look for everything.
    Everywhere.
  • Use tools and automation to simplify this process
    when possibleits a big task and can be
    daunting.
  • Stay vigilant
  • One thing that has been an increasing trend in
    recently revealed attacksthey come back.
    Sophisticated hackers often test, drill and mine
    systems for months.

66
Database Forensics
  • The database can provide valuable forensic
    evidence in case of a suspected breach
  • Identify before and after data values
  • Recover deleted data
  • Examine structural and data changes
  • Prove if indeed there was a breach
  • Determine the scope of the damage / loss
  • Capabilities are significantly augmented with a
    3rd party database activity monitoring system
  • Native database auditing can be a big help too

67
Oracle Forensic Data Sources
  • Within ORACLE_HOME/admin/
  • pdump/alert_.log
  • cdump/core.log raw stack dumps resulting
    form buffer overflow attacks
  • Look for malicious payload in this file
  • Groupings of attacks
  • udump/_s001_4382.trc user trace file might
    contain user errors
  • Within ORACLE_HOME/network/log
  • Listener.log file contains connections to the
    listener service
  • Agntsvrc.log, etc contains logs on components of
    database
  • Files may be anywhere on the system
  • Sqlnet.log files show network traffic from the
    client
  • SQLNet trace files cli_3736.trc

68
MS SQL Forensic Data Sources
  • Active Database Data
  • Sessions, Users, Requests, Memory Contents
  • Transaction Logs
  • \Program Files\Microsoft SQL Server\MSSQL\Data\.l
    df
  • View changes and who made them (DDL and DML
    statements)
  • SQL Server Error Logs
  • \Program Files\Microsoft SQL Server\MSSQL\LOG\ERRO
    RLOG
  • Logins, Logouts and Failed Logins (includes
    source IP)
  • Database Starting and Stopping
  • SQL Server Trace Files (if present)
  • \Program Files\Microsoft SQL Server\MSSQL\LOG\.tr
    c
  • Detailed listing of SQL Statements

69
How Do You Secure Databases?
Apply the vulnerability management lifecycle...
  • Prioritize based on vulnerability, threat, and
    asset classification data
  • Document security plan
  • Inventory assets
  • Identify vulnerabilities
  • Develop baseline
  • Eliminate high-priority vulnerabilities
  • Establish controls
  • Demonstrate progress
  • Monitor known vulnerabilities
  • Watch unpatched systems
  • Alert other suspicious activity

69
70
How Do You Address These Vulnerabilities?
  • Start with a Secure Configuration
  • Stay Patched
  • Stay on top of all the security alerts and
    bulletins
  • Defense in Depth / Multiple Levels of Security
  • Regularly scan your databases for vulnerabilities
  • Fix the problems reported!
  • Implement database activity monitoring
  • and database intrusion detection
  • Especially if you cant stay patched!
  • Encryption of data-in-motion / data-at-rest

70
71
Best Practices Provided by Database Vendors
Notable Third Parties
  • Oracle
  • Oracle9i Security Checklist
  • otn.oracle.com/deploy/security/oracle9i/index.html
  • Oracle Project Lockdown
  • www.oracle.com/technology/pub/articles/project_loc
    kdown/index.html
  • Oracle Security Checklist
  • www.oracle.com/technology/deploy/security/pdf/twp_
    security_checklist_db_database.pdf
  • SANS Institute (SysAdmin, Audit, Network,
    Security)
  • Oracle Database Checklist
  • www.sans.org/score/checklists/Oracle_Database_Chec
    klist.doc
  • Microsoft
  • 10 Steps to Secure SQL Server
  • www.microsoft.com/sql/techinfo/administration/20
    00/security/securingsqlserver.asp
  • SQLSecurity.com
  • SQLSecurity Checklist
  • www.SQLSecurity.com

71
72
Database Security Info from AppSecInc
  • White Papers
  • http//www.appsecinc.com/techdocs/whitepapers/rese
    arch.shtml
  • Database Activity Monitoring
  • Search Engines Used to Attack Databases
  • Introduction to Database and Application Worms
  • Hunting Flaws in Microsoft SQL Server
  • Presentations
  • http//www.appsecinc.com/techdocs/presentations.sh
    tml
  • Protecting Databases
  • Hack-Proofing MySQL, IBM DB2, Oracle9iAS
  • Writing Secure Code in Oracle
  • Security alerts
  • www.appsecinc.com/resources/mailinglist.html

72
73
Thank You
  • Questions?
  • Vulnerabilities?
  • Locking down the database?
  • Email our security experts at
  • asktheexpert_at_appsecinc.com

73
Write a Comment
User Comments (0)
About PowerShow.com